Experts warned that a radical site-blocking program without proper checks and balances would end badly in Italy. On Saturday, at least one Cloudflare IP address was added to the Piracy Shield anti-piracy system. According to an expert, that ended up blocking "half of Italy's personal sites" not to mention a charity, a telecoms company, and several schools. It's the outcome many people predicted but one that could've been easily avoided.

Following a statement that Italy’s all-new anti-piracy system had received top marks from telecoms regulator AGCOM for “working perfectly,” on Saturday the truth came out in all its glory.

Piracy Shield has only been fully operational for a few weeks. So, expecting it to work flawlessly, right out of the box, was always unrealistic. There have been reports of unexpected behavior in the ticketing system, for example, plus other issues one might describe as relatively normal for a new system, or at least non-critical.

But while any unexpected behavior needs to be understood, the Piracy Shield system, i.e software, hardware, and sundry biological components, arguably had just one job to perform perfectly in its first month. Through meticulous care, prove the naysayers wrong by not blocking innocent sites and staying away from CDNs. A single IP address blocked in error can do damage anywhere but, on a platform such as Cloudflare, problems can multiple extremely quickly.

Like a Moth to a Flame

As reported less than two weeks ago, the first issue to cause elevated public concern was the blocking of Zenlayer CDN IP addresses. During the first two weeks in the public spotlight, that wasn’t ideal or even an isolated incident.

When AGCOM and anti-piracy group FAPAV turned up on TV recently to announce an expansion of Piracy Shield blocking, the system was said to be “working perfectly” while reports to the contrary were labeled “fake news.”

But even before those statements had time to fully sink in, along came Saturday afternoon, otherwise known as ‘TTFN CDN’.

AS13335 Cloudflare – IP: 188.114.97.7

Around 16:13 on Saturday, an IP address within Cloudflare’s AS13335, which currently accounts for 42,243,794 domains according to IPInfo, was targeted for blocking. Ownership of IP address 188.114.97.7 can be linked to Cloudflare in a few seconds, and doubled checked in a few seconds more.

The service that rightsholders wanted to block was not the IP address’s sole user. There’s a significant chance of that being the case whenever Cloudflare IPs enter the equation; blocking this IP always risked taking out the target plus all other sites using it.

Why blocking went ahead anyway has no good answers; from didn’t check and don’t understand to oops, too late…, how it managed to traverse the claimed checks and balances defies logic. Giorgio Bonfiglio, Principal Technical Account Manager at Amazon Web Services, warned of this specific risk last year. Some of the best advice available, pro bono, yet simply ignored.

“You can’t make this up, Piracy Shield has literally blocked half of Italy’s personal sites,” he wrote on Saturday.

“When I talked about the risks of the Piracy Shield last year I focused on the impossibility for an external observer to understand whether an IP is shared or not. I never expected they would block one of the top 5 CDNs in the world, an AS that does ONLY that,” he added.

Block Party Erupts

On February 2, 2024, developer Marco d’Itri (aka rfc1036) published a pearl of wisdom on Twitter. On Saturday, a little over three weeks later, he was the first to publicly confirm that what shouldn’t have happened, had obviously happened, to the surprise of no one
Reports of sites suddenly going offline came in quickly. The IP address block went live at 16:13 and by 16:31, Italy was already covered head to foot in black spots indicating no connectivity (Source: RIPE via @Auguzanellato).

EU citizens’ right to receive and impart information without interference often enters site-blocking discussions. Such concerns were waved away in Italy because the above would never be allowed to happen.

Communication to the Public, By The Public

On X, @Handymenny quickly pinpointed the source of his initial connectivity problem, and then went on to discover he was more affected than first thought. That appeared to pique his curiosity, so he decided to find out who else had been blocked.

His discoveries included the ODV Prison Volunteers Association, a charitable group with a key goal of improving communication between prisoners and their families. Elimobile.it, a telecoms company that relies on people communicating so that they a) buy SIM cards and b) can access Elimobile’s video services, was also blocked.
Several schools also suffering downtime is not just a terrible look. The laws and regulations passed last year that authorize rapid blocking include a mandatory educational component for kids. If anyone can think of a statement that will resonate with kids, to explain why preventing football piracy has a negative effect on education, answers on a blackboard please.

Block Quietly Removed, But That Won’t Be Enough

Around five hours after the blockade was put in place, reports suggest that the order compelling ISPs to block Cloudflare simply vanished from the Piracy Shield system. Details are thin, but there is strong opinion that the deletion may represent a violation of the rules, if not the law.

Another legal aspect of potential interest involves a general principle of EU law, one that requires authorities to strike a balance between the means used and the intended aim when exercising their powers.

IT enthusiast Ernesto Castellotti wasted no time deciding his course of action. Since his website was also unlawfully blocked on Saturday, he’s sent a civil access request to AGCOM demanding all information held on file to show why that happened. He’s also calling for the immediate resignation of the head of AGCOM “for demonstrated negligence in the implementation of the Piracy Shield project.”

As far as we’re aware, there has been no formal comment from AGCOM on Saturday’s disaster.